A $1,000 AI Agent Found 21 Zero-Days in FFmpeg — Some Sitting Undetected for 23 Years

Sources: depthfirst.com (primary research) · The Hacker News · The Next Web · CybersecurityNews · Vulert · Martin Cid Magazine · Penligent AI · Red Secure Tech · SOC Defenders · TechGines | Agent: Depthfirst autonomous security agent | Target: FFmpeg — 1.5M lines of C | Findings: 21 confirmed zero-days, each with reproducible PoC | Cost: ~$1,000 total | CVEs assigned: CVE-2026-39210 through CVE-2026-39218 (9 numbered, 12 pending)

$1,000. 21 zero-days. Some sitting in the code for 23 years.

On June 6, 2026, security startup depthfirst published a research report that recalibrated the mental model of everyone tracking AI-assisted vulnerability discovery. Their production autonomous security agent scanned FFmpeg — the world’s most widely deployed media processing library, embedded in virtually every video player, streaming platform, browser, and media pipeline on the planet — and returned 21 confirmed zero-day vulnerabilities, each with a reproducible proof-of-concept exploit input. Total cost of the run: approximately $1,000.

Not $1,000 per finding. One thousand dollars total. For 21 previously unknown flaws in one of the most widely deployed, most security-audited open-source codebases in existence — a codebase that Google and Anthropic had both already subjected to intensive security analysis. Several bugs had been sitting latent for 15 to 20 years. One stack overflow in the service-description-table code was introduced in 2003 and sat untouched for 23 years.

The depthfirst finding does not arrive in isolation. The same week, Google released Chrome 149 with 429 security fixes — the most ever in a single Chrome release — with Google explicitly noting that AI-generated vulnerability reports are creating unprecedented patch triage pressure. Microsoft’s June Patch Tuesday, released today, is the largest in history at 200 CVEs, with industry analysts attributing the record volume to AI-accelerated vulnerability discovery. The White House AI executive order signed June 2 was itself triggered by Anthropic’s Mythos model demonstrating autonomous vulnerability discovery. The FFmpeg story is not an isolated event. It is a data point in a trend line that is moving fast.

What FFmpeg is — and why 21 zero-days there matters everywhere

FFmpeg is not a consumer product most people have heard of. It is the invisible infrastructure that processes media everywhere. From the browsers used daily to the infrastructure powering large streaming platforms, it quietly processes media everywhere. It is bundled in:

• Web browsers — Chromium-based browsers use FFmpeg for audio and video decoding
• Streaming platforms — Netflix, YouTube, Twitch, and virtually every major streaming service use FFmpeg in their encoding and transcoding pipelines
• Communication tools — Zoom, Teams, Discord, and similar platforms use FFmpeg for media processing
• Operating systems — Linux distributions, macOS, and Android include FFmpeg in their media stacks
• Security cameras and IoT devices — embedded in firmware for video processing
• Python packages — dozens of widely used Python libraries depend on FFmpeg for media handling
• Container images — bundled in countless Docker images for media processing workloads
• Enterprise media pipelines — video conferencing infrastructure, broadcast encoding, content delivery

An exploitable memory corruption in FFmpeg’s media parsers — which routinely process untrusted media from external sources — is a zero-click attack surface. A malicious video file, audio stream, or RTSP feed can trigger the vulnerability without any user interaction beyond the media being processed. The most severe finding, DFVULN-127 (the AV1 RTP depacketizer heap overflow), has a demonstrated RCE primitive. Depthfirst’s writeup explicitly notes FFmpeg “is inherently security critical and a prime target for zero-click attacks.”

How the depthfirst agent works — and why it found what human auditors missed

Unlike general-purpose coding agents applied to security tasks, depthfirst built a specialized autonomous agent designed specifically for vulnerability research. The approach differs from both traditional fuzzing and simple static analysis in three important ways:

• Threat modeling across large codebases. The agent maps attacker-controlled input entry points — every place external data can enter the codebase — and traces data flow through relevant components to identify where that input reaches potentially dangerous code paths. This is the same mental model a skilled human vulnerability researcher uses, applied at machine speed across 1.5 million lines.
• Reachability validation. The agent validates whether a vulnerable code path is actually reachable from an attacker-controlled input — eliminating the false positive problem that makes traditional static analysis tools noisy and expensive to act on. Every finding depthfirst reported had a confirmed, reachable path from external input to the vulnerable code.
• Reproducible PoC generation. Rather than flagging code patterns that look suspicious, the agent generates concrete proof-of-concept inputs that actually trigger the vulnerability. This is the distinction between “this code looks dangerous” and “here is the exact input that crashes the program here.” The PoCs are published on GitHub.

The cost comparison is instructive. Depthfirst puts the total run cost at approximately $1,000 — and explicitly frames this as roughly 10% of what Anthropic spent when its Claude Mythos model swept major software for vulnerabilities. The implication: the capability that triggered a White House executive order when Anthropic deployed it is now being replicated by specialized startups at a fraction of the cost. This is not a one-company capability. It is becoming a commodity.

The specific CVEs — what was found and when it was introduced

Nine CVEs have been formally assigned. The age of these vulnerabilities is as notable as their existence:

• CVE-2026-39210 — Heap Buffer Overflow in the TS demuxer. Introduced 2010. Sitting for 16 years.
• CVE-2026-39212 — Stack Overflow in ffmpeg_opt.c. Regression from July 2025.
• CVE-2026-39213 — Heap Buffer Overflow in yuv4mpegenc. Introduced 2023 — missing dimension validation against packet size.
• CVE-2026-39214 — Stack Buffer Overflow in the SDT implementation. Introduced 2003. Latent for 23 years. Writes service entries without tracking remaining buffer space.
• CVE-2026-39215 — Heap Buffer Overflow in update_mb_info(). Introduced 2012. Logic error allows a write 12 bytes past the allocated buffer.
• CVE-2026-39216 — Heap Buffer Overflow in img2enc.c. Introduced 2012. Safe chroma size replaced with unbounded dimension-derived size.
• CVE-2026-39217 — Heap Buffer Overflow in the VP9 decoder. Regression from March 2025. Refactored size update function causes tile thread buffers to miss reallocations.
• CVE-2026-39218 — Heap Buffer Overflow in the DASH demuxer. Introduced 2017. Fails to reject negative duration values, turning a fragment into a memory corruption.
• DFVULN-127 — Heap Buffer Overflow in the AV1 RTP depacketizer (libavformat/rtpdec_av1.c). Pending CVE assignment. The most severe finding — RCE exploit primitive demonstrated.

Additional unnumbered findings affect the AVI demuxer, CAF demuxer, RTSP SDP parser, RTMP client, and AVIF overlay path — all dormant for over 15 years.

The broader signal: AI is finding vulnerabilities faster than humans can fix them

The FFmpeg findings and the Chrome 149 record patch release are independent events that point in the same direction. AI is finding vulnerabilities faster than the human patch process can absorb them. This is the threat dynamic the White House AI executive order was responding to — and the record 200-CVE Patch Tuesday released today is the most visible current manifestation of that dynamic.

A February 2026 study had an AI agent reproduce working PoCs for more than half of 100 real Linux kernel N-day bugs, beating traditional fuzzing. An autonomous tool recently found an authenticated RCE in Redis that had been present since version 7.2.0, unnoticed for over two years. The depthfirst FFmpeg run adds 21 more data points to the same trend. The pattern is consistent: C codebases that have accumulated contributions over decades contain memory safety bugs that have never been found because the search space is too large for human auditors and traditional fuzzing tools to cover exhaustively. AI agents with proper threat modeling and reachability validation cover that search space in hours, at costs measured in thousands of dollars.

The question this raises for every organization is the one TechGines posed directly: “If an AI agent can find 21 zero-days in FFmpeg for a thousand dollars, what’s sitting in my environment that has the same profile?” The Verizon DBIR 2026 found only 26% of CISA KEV vulnerabilities were fully remediated in 2025 — while exploitation timelines have already compressed to 5 days. AI-accelerated discovery will shorten that further. The patch management gap is structural and it is widening.

What to do now

1. Update FFmpeg to the latest fixed upstream build immediately. All 21 vulnerabilities are fixed in upstream FFmpeg. Apply your distribution’s security update or pull the fixed upstream build. Do not assume a system package update is sufficient — see below.
2. Audit every embedded FFmpeg copy. FFmpeg is widely bundled in Python wheels, Docker container images, media appliances, IoT firmware, and application dependencies. System package updates do not patch these embedded copies. Run a software composition analysis across your environment to identify every FFmpeg instance: find / -name "ffmpeg" -o -name "libavformat*" -o -name "libavcodec*" 2>/dev/null
3. Prioritize systems that ingest untrusted media. The highest-risk deployments are those where FFmpeg processes media from external, untrusted sources — RTSP streams from external cameras, user-uploaded video, AV1-over-RTP from network sources. These are the attack surfaces most accessible to remote exploitation of DFVULN-127 and similar findings.
4. Update Chrome to version 149.0.7827.53 (Linux) or 149.0.7827.53/54 (Windows/macOS) across all endpoints. Chrome’s FFmpeg usage means the browser-level update addresses some of the same underlying vulnerability surface. Confirm auto-update has run.
5. Treat this as a software composition awareness trigger. Every organization running media processing infrastructure should conduct a full audit of where FFmpeg appears in their stack. The findings are fixed upstream — but only in the upstream build. Embedded, vendored, and containerized copies require individual attention.

Sources and further reading

• depthfirst — 21 Zero-Days in FFmpeg (Primary Research)
• The Hacker News — AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs
• The Next Web — A $1,000 AI Agent Found 21 Zero-Days in FFmpeg, Chrome Patches 429
• CybersecurityNews — 21 Zero-Day Vulnerabilities in FFmpeg Enable Remote Code Execution Attacks
• Vulert — AI Finds 21 FFmpeg Zero-Days; Chrome Patches 429
• Penligent AI — AI Agent Finds 21 FFmpeg Zero-Days: What Defenders Should Do Next

DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #26 — June 10, 2026. Previous: Microsoft June 2026 Patch Tuesday (June 10) · Claude Code Prompt Injection (June 8) · FIFA World Cup 2026 Fraud Wave (June 8). Browse the full archive →